Vendors leave crypto key in the door when it comes to security

The problem of certificates baked into firmware continues to jeopardise the security of consumer internet devices despite warnings to vendors, according to a researcher.

Are vendors dropping the ball?

Manufacturers of internet gateways, routers and modems are leaving the key in the door when it comes to security by re-using private SSH keys and HTTPS certificates, a researcher claims.

In a report entitled The House of Keys, cyber-security firm SEC Consult said it had identified more than 50 vendors and thousands of device models with embedded security certificates that were vulnerable to attack because the manufacturers had re-used private keys.

In the first round of research in November 2015, Stefan Viehböck, senior security consultant at SEC Consult, found 580 unique private keys in use across millions of devices. He found these keys being used in nine percent of HTTPS hosts on the web, accounting for 3.2 million hosts using 150 unique server certificates. He also found 80 private keys in use by 900,000 SSH hosts, accounting for six percent of hosts on the web.

In the second round of research, completed recently, the problem has only become worse, with a 40 percent growth in bad HTTPS server certificates to 4.5 million. He attributes this to a number of factors: the lag between the development and deployment of security patches, insufficient firewalling on the WAN side by users and ISPs and the growth in IoT-enabled products.

The picture for SSH hosts is less clear as he was unable to access data on these for the second round of the study.

Each device should have a unique private key but the widespread re-use of ‘static' keys comes about when vendors code the key into the firmware of internet-connected devices.

Because of the widespread use of OEM products, ‘baked in' keys can be shared across devices from multiple manufacturers. So, for instance, a certificate issued to a person named “Daniel” is used in the firmware for products from Actiontec, Aztech, Comtrend, Innatech, Linksys, Smart RG, Zhone and ZyXEL, Viehböck said, and originates from a Broadcom SDK. Consequently, 480,000 devices on the web use the same certificate.

And there are other examples from Texas Instruments and ZyXEL.

The scanned devices are visible on the web because they have had remote management enabled, which consumers are advised to disable if it's not needed.

A particular problem for consumers in securing their routers and modems is that in many cases the misconfigured equipment has been supplied to them by their internet service provider (ISP).

Robert Page, lead penetration tester at Redscan, was impressed by the research, telling SCMagazineUK.com that as a pen tester, he would scan for SSH keys that he could use to exploit vulnerable devices.

He said the research was more concerning for home and small business users as larger organisations would use more sophisticated devices that require the administrator to manage their own security certificates.

Page was concerned about ISPs supplying badly configured devices to consumers. “Many of these [insecure] devices are CPE [customer premises equipment] so the ISP is not taking adequate steps to check security before shipping them to the consumer,” he said.

“From the consumer standpoint, they are going to have to try to get the vendor to release new firmware to generate unique encryption keys on the devices,” he said. “It would have been easier if they could have done it in the factory before shipping it to the consumer.”

Viehböck has published the details of the private keys he discovered during his research in a Github repository.